Bug 790037

Summary: virsh --connect qemu:///system fails: Authorization requires authentication but no agent is available.
Product: [Fedora] Fedora Reporter: Frank Murphy <frankly3d>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: berrange, clalancette, crobinso, dougsland, dpierce, eblake, hbrock, itamar, jforbes, laine, libvirt-maint, rjones, veillard, virt-maint
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 795978 (view as bug list) Environment:
Last Closed: 2012-11-01 08:41:55 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 795978    

Description Frank Murphy 2012-02-13 09:29:09 EST
Description of problem:

1: enable dbus.service
2. enable avahi-daemon.service
3. start libvirtd.service

on command line:

systemctl status libvirtd.service
libvirtd.service - Virtualization daemon
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled)
   Active: active (running) since Mon, 13 Feb 2012 14:07:21 +0000; 18s ago
 Main PID: 1830 (libvirtd)
   CGroup: name=systemd:/system/libvirtd.service
    ├ 1830 /usr/sbin/libvirtd
    └ 1935 /sbin/dnsmasq --strict-order --bind-interfaces
--pid-file=/var/run/libvirt/network/default.pid --conf-file= --ex...

Feb 13 14:07:23 testvm libvirtd[1830]: 2012-02-13 14:07:23.694+0000: 1841:
error : virCommandWait:2308 : internal error Child proce...ebtables
Feb 13 14:07:23 testvm libvirtd[1830]: cmd='$EBT -t nat -L'
Feb 13 14:07:23 testvm libvirtd[1830]: eval res=\$\("${cmd} 2>&1"\)
Feb 13 14:07:23 testvm libvirtd[1830]: if [ $? -ne 0 ]; then  echo "Failure to
execute command '${cmd}' : '${res}'.";  exit 1;fi
Feb 13 14:07:23 testvm libvirtd[1830]: ) status unexpected: exit status 1
Feb 13 14:07:23 testvm libvirtd[1830]: 2012-02-13 14:07:23.773+0000: 1841:
error : virCommandWait:2308 : internal error Child proce...p6tables
Feb 13 14:07:23 testvm libvirtd[1830]: cmd='$IPT -n -L FORWARD'
Feb 13 14:07:23 testvm libvirtd[1830]: eval res=\$\("${cmd} 2>&1"\)
Feb 13 14:07:23 testvm libvirtd[1830]: if [ $? -ne 0 ]; then  echo "Failure to
execute command '${cmd}' : '${res}'.";  exit 1;fi
Feb 13 14:07:23 testvm libvirtd[1830]: ) status unexpected: exit status 1

in virt-manager window:
Unable to connect to libvirt:

authentication failed: Not authorized.

Could not detect a local session: if you are 
running virt-manager over ssh -X or VNC, you 
may not be able to connect to libvirt as a 
regular user. Try running as root.

Libvirt URI is: qemu:///system

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/connection.py", line 1185, in
_open_thread
    self.vmm = self._try_open()
  File "/usr/share/virt-manager/virtManager/connection.py", line 1167, in
_try_open
    flags)
  File "/usr/lib64/python2.7/site-packages/libvirt.py", line 102, in openAuth
    if ret is None:raise libvirtError('virConnectOpenAuth() failed')
libvirtError: authentication failed: Not authorized.

But it should let me in due to:

/var/lib/polkit-1/localauthority/50-local.d/virt-manager.pkl

 [Local virt-manager Permissions]
Identity=unix-user:frank
Action=org.libvirt.unix.*
ResultAny=no
ResultInactive=no
ResultActive=yes


Version-Release number of selected component (if applicable):
libvirt-client-0.9.10-0rc2.fc17.x86_64
libvirt-0.9.10-0rc2.fc17.x86_64
libvirt-python-0.9.10-0rc2.fc17.x86_64
virt-manager-0.9.1-1.fc17.1.noarch
virt-manager-common-0.9.1-1.fc17.1.noarch
Comment 1 Cole Robinson 2012-02-13 15:39:12 EST
Does virsh --connect qemu:///system as regular user work? Or is this specific to virt-manager?

Did that policykit configuration work on f16?
Comment 2 Frank Murphy 2012-02-13 18:05:18 EST
(In reply to comment #1)
> Does virsh --connect qemu:///system as regular user work? Or is this specific
> to virt-manager?


frank@testvm ~$ virsh --connect qemu:///system
WARNING: gnome-keyring:: couldn't connect to: /tmp/keyring-D69WWU/pkcs11: No such file or directory
error: authentication failed: Not authorized.

error: failed to connect to the hypervisor


> 
> Did that policykit configuration work on f16?

yes.

Xfce Host but.
Gnome-Keyring, coolkey + deps are installed 


Will look further in the morning.
Comment 3 Cole Robinson 2012-02-13 18:46:47 EST
Moving to libvirt for now since it's not virt-manager specific
Comment 4 Frank Murphy 2012-02-21 14:45:11 EST
Uncertain if this is complicit:
http://lists.fedoraproject.org/pipermail/test/2012-February/105736.html
Comment 5 Eric Blake 2012-02-21 15:33:34 EST
Could possibly be a case of needing to backport this:

commit fcdfa31f3cad32f41ef5e7933c58d986ab7fc6c9
Author: Jim Fehlig <jfehlig@suse.com>
Date:   Wed Feb 15 10:01:50 2012 -0700

    Fix polkit0 authentication
    
    Commit 7033c5f2 introduced some bugs in polkit0 authentication.
    
    Fix libvirtd segfault in remoteDispatchAuthPolkit().
    
    Fix polkit authentication bypass when caller UID = 0.
Comment 6 Cole Robinson 2012-06-07 10:15:43 EDT
polkit0 isn't in F17, so I think this was just some transient f17/rawhide breakage. Closing as NOTABUG
Comment 7 Frank Murphy 2012-06-07 10:22:44 EDT
Can you re-consider? 
As logged in user:

~$ virsh --connect qemu:///system
error: authentication failed: Not authorized.

error: failed to connect to the hypervisor
Comment 8 Cole Robinson 2012-06-07 10:48:45 EDT
Sure Frank, reopening. This is on an up to date F17?
Comment 9 Frank Murphy 2012-06-07 10:54:28 EDT
Fully updated Xfce host with all necessary virt-apps.
Comment 10 Cole Robinson 2012-06-07 17:32:01 EDT
Frank, can you show output of the following:

sudo killall polkitd
/usr/libexec/polkit-1/polkitd --no-debug
sudo /usr/libexec/polkit-1/polkitd

and in another terminal

pkcheck --action-id org.libvirt.unix.manage --allow-user-interaction --process $BASHPID
Comment 11 Frank Murphy 2012-06-08 02:47:49 EDT
frank@testvm ~$ sudo killall polkitd
[sudo] password for frank: 
frank@testvm ~$ /usr/libexec/polkit-1/polkitd --no-debug
frank@testvm ~$ sudo /usr/libexec/polkit-1/polkitd
Entering main event loop
Connected to the system bus
Registering null backend at priority -10
Using authority class PolkitBackendLocalAuthority
Acquired the name org.freedesktop.PolicyKit1


2nd terminal 
frank@testvm ~$ pkcheck --action-id org.libvirt.unix.manage --allow-user-interaction --process $BASHPID
Not authorized.
Comment 12 Frank Murphy 2012-06-20 03:28:30 EDT
Must have been a weekend update I missed, this morning as logged in user on host:

~$ virsh --connect qemu:///system
WARNING: gnome-keyring:: couldn't connect to: /home/frank/.cache/keyring-oh45Dr/pkcs11: No such file or directory
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh # 


virt-manager also connected as user.
Comment 13 Cole Robinson 2012-10-20 21:16:21 EDT
Okay, closing per comment #12
Comment 14 Richard W.M. Jones 2012-11-01 08:39:17 EDT
Reopening, as I see this error on Fedora 18:

$ virsh --connect qemu:///system list
error: authentication failed: polkit\56retains_authorization_after_challenge=1
Authorization requires authentication but no agent is available.

error: failed to connect to the hypervisor

What's particularly annoying about this error is that it
is not actionable.  It doesn't say what "agent" needs to be
running or what other steps the user can take to fix the
error.

libvirt-0.10.2-3.fc18.x86_64
polkit-0.107-3.fc18.x86_64

SELinux is permissive.

'/usr/sbin/libvirtd' is running.
'/usr/lib/polkit-1/polkitd --no-debug' is running.
Comment 15 Richard W.M. Jones 2012-11-01 08:41:55 EDT
Hmm, maybe this is a slightly different bug.  I have opened a
new bug 872166.